b"  DEPARTMENT OF HOMELAND SECURITY\n\n           Office of Inspector General\n\n                      Information Technology\n                         Management Letter\n                        for the FY 2004 DHS\n                     Financial Statement Audit\n                              (Redacted)\n\n\n\n\n Notice: The Department of Homeland Security, Office of Inspector General, has redacted\n this report for public release. The redactions are identified as (b)(2), comparable to 5\n U.S.C. \xc2\xa7 552 (b)(2). A review under the Freedom of Information Act will be conducted upon\n request.\n\n\n\n\n            Office of Information Technology\nOIG-05-27                                                                 July 2005\n\x0c                               KPMG LLP\n                               2001 M Street, NW\n                               Washington, DC 20036\n\n\n\n\nDecember 15, 2004\n\nOffice of Inspector General and Chief Information Officer,\nU.S. Department of Homeland Security,\nWashington, DC\n\nLadies and Gentlemen:\n\nWe were engaged to audit the consolidated balance sheet of the U.S. Department of Homeland Security\n(DHS) as of September 30, 2004, and the related consolidated statements of net cost, changes in net\nposition, financing, and custodial activity, and combined statement of budgetary resources (hereinafter\nreferred to as \xe2\x80\x9cfinancial statements\xe2\x80\x9d), for the year then ended. Because of matters discussed in our\nIndependent Auditors\xe2\x80\x99 Report, dated November 8, 2004, the scope of our work was not sufficient to enable\nus to express, and we did not express, an opinion on the financial statements.\nIn connection with our fiscal year 2004 engagement, we were also engaged to consider DHS\xe2\x80\x99 internal\ncontrol over financial reporting and to test DHS\xe2\x80\x99 compliance with certain provisions of applicable laws,\nregulations, contracts, and grant agreements that could have a direct and material effect on these financial\nstatements. Our procedures may not include examining the effectiveness of internal controls and do not\nprovide assurance on internal control. We have not considered internal control since the date of our report.\nWe noted certain matters involving internal control and other operational matters with respect to\ninformation technology that are summarized in the Information Technology Management Comments\nstarting on page 1. These comments and recommendations, all of which have been discussed with the\nappropriate members of management, are intended to improve internal control or result in other operating\nefficiencies. These comments are in addition to the reportable conditions presented in our Independent\nAuditors\xe2\x80\x99 Report, dated November 8, 2004, and included in the FY 2004 DHS Performance and\nAccountability Report. A description of each internal control finding, and its disposition, as either a\nmaterial weakness or an information technology management comment is provided in Appendix B. We\nhave also included the current status of the prior year Notice of Findings and Recommendations in\nAppendix C. Our comments related to financial management have been presented in a separate letter to the\nOffice of Inspector General and the DHS Chief Financial Officer dated December 15, 2004.\nAs described above, the scope of our work was not sufficient to express an opinion on the financial\nstatements of DHS as of and for the year ended September 30, 2004, and accordingly, other matters\ninvolving internal control over information technology may have been identified and reported had we been\nable to perform all procedures necessary to express an opinion. We aim, however, to use our knowledge of\nDHS\xe2\x80\x99 organization gained during our work to make comments and suggestions that we hope will be useful\nto you.\nThis report is intended for the information and use of DHS\xe2\x80\x99 management, the Office of Inspector General,\nthe U.S. Office of Management and Budget, the U.S. Congress, and the Government Accountability\nOffice, and is not intended to be and should not be used by anyone other than these specified parties.\nVery truly yours,\n\n\n\n\n                                KPMG LLP, a U.S. limited liability partnership, is the U.S.\n                                member firm of KPMG International, a Swiss cooperative.\n\x0c                                   Department of Homeland Security\n                             Information Technology Management Comments\n                                          September 30, 2004\n\n             INFORMATION TECHNOLOGY MANAGEMENT COMMENTS\nSection/ FISCAM General Control Area\n  Comment\n  Reference   Subject                                                                          Page\nInformation Technology Objective, Scope and Approach                                             1\nSummary of Findings and Recommendations                                                          2\nFindings by Audit Area                                                                           2\n\n\nEntity-Wide Security Program Planning and Management                                             2\n  EWS-4-01        Certification and accreditation, system inventories, reviews of controls       3\n  EWS-4-02        Security training and awareness                                                3\n  EWS-4-03        Security plans                                                                 3\n  EWS-4-04        Security risk assessments                                                      3\n\nAccess Controls                                                                                  3\n  AC-4-01         Passwords, user account management, excessive access privileges                4\n  AC-4-02         Configuration of workstations and user accounts                                4\n\nSystem Software                                                                                  4\n  SS-4-01         Restricting and monitoring access to operating system software                 4\n  SS-4-02         Documentation of operating system setting changes                              4\n\nSegregation of Duties                                                                            5\n  SD-4-01         Incompatible functions                                                         5\n  SD-4-01         Position description documentation                                             5\n\nService Continuity                                                                               5\n  SC-4-01         Business continuity / disaster plans                                           5\n  SC-4-02         Testing of service continuity plans and training of professionals              6\n\nApplication Software Development and Change Controls                                             6\n  ASDCC-4-01      Software changes need to be better documented                                  6\n\nApplication Controls                                                                             6\n  APC-4-01        Outdated application user guide of a key financial system.                     6\n  APC-4-02        Not consistently performing verification of data input and output,             6\n                  including the reconciliation of data between applications\n                                           APPENDICES\nAppendix     Subject                                                                           Page\n                                                                                                 7\n    A         Description of Financial Systems and IT Infrastructure within the Scope of the\n              FY 2004 DHS Financial Statement Audit\n    B        FY 2004 Detail Notice of IT Findings and Recommendations by DHS                    13\n             Organizational Element\n\n   C         Cross-Walk \xe2\x80\x93 Status of Prior Year Notice of Findings and Recommendations to        37\n             Current Year Notice of Findings and Recommendations\n\n   D         Management Response to Draft IT Management Letter                                  43\n\x0c                               Department of Homeland Security\n                         Information Technology Management Comments\n                                      September 30, 2004\n\nINFORMATION TECHNOLOGY OBJECTIVE, SCOPE AND\n                APPROACH\nKPMG performed a review of DHS IT general controls in support of the FY 2004 DHS financial\nstatement engagement. The overall objective of our review was to evaluate the effectiveness of IT\ngeneral controls of DHS\xe2\x80\x99 financial processing environment and related IT infrastructure as necessary\nto support the engagement. The Federal Information System Controls Audit Manual (FISCAM),\nissued by the Government Accountability Office, formed the basis of our review. The scope of the IT\ngeneral controls assessment included testing at DHS\xe2\x80\x99 Office of the Chief Financial Officer (OCFO),\nand all significant DHS Bureaus as described in Appendix A.\n\nFISCAM is designed to inform financial auditors about IT controls and related audit concerns to\nassist them in planning their audit work and to integrate the work of auditors with other aspects of the\nfinancial audit. FISCAM also provides guidance to IT auditors when considering the scope and\nextent of review that generally should be performed when evaluating general controls and the IT\nenvironment of a federal agency. FISCAM defines the following six control functions to be essential\nto the effective operation of the general IT controls environment.\n\n    \xe2\x80\xa2   Entity-wide security program planning and management (EWS) \xe2\x80\x93 Controls that provide a\n        framework and continuing cycle of activity for managing risk, developing security policies,\n        assigning responsibilities, and monitoring the adequacy of computer-related security controls.\n    \xe2\x80\xa2   Access control (AC) \xe2\x80\x93 Controls that limit and/or monitor access to computer resources (data,\n        programs, equipment, and facilities) to protect against unauthorized modification, loss, and\n        disclosure.\n    \xe2\x80\xa2   System software (SS) \xe2\x80\x93 Controls that limit and monitor access to powerful programs that\n        operate computer hardware.\n    \xe2\x80\xa2   Segregation of duties (SD) \xe2\x80\x93 Controls that constitute policies, procedures, and an\n        organizational structure to prevent one individual from controlling key aspects of computer-\n        related operations, thus deterring unauthorized actions or access to assets or records.\n    \xe2\x80\xa2   Service continuity (SC) \xe2\x80\x93 Controls that involve procedures for continuing critical operations\n        without interruption, or with prompt resumption, when unexpected events occur.\n    \xe2\x80\xa2   Application software development and change control (ASDCC) \xe2\x80\x93 Controls that help to\n        prevent the implementation of unauthorized programs or modifications to existing programs.\n    \xe2\x80\xa2   Application Controls (APC) - Application controls are the structure, policies, and procedures\n        that apply to separate, individual application systems, such as accounts payable, inventory,\n        payroll, grants, or loans.\n\nTo complement our general IT controls review, we also performed technical security testing for key\nnetwork and system devices, as well as testing over key financial application controls. The technical\nsecurity testing was performed both over the Internet and from within select DHS facilities, and was\nfocused on test, development, and production devices that directly support DHS financial processing\nand key general support systems. The application control testing was performed to assess the controls\nthat support the financial system\xe2\x80\x99s internal controls over the input, processing, and output of financial\ndata and transactions.\n\nA draft version of this IT Management Letter was provided to the DHS Chief Information Officer,\nwho generally agreed with the comments and recommendations and his response is included as\nAppendix D of this document.\n                                             1\n\x0c                                Department of Homeland Security\n                          Information Technology Management Comments\n                                       September 30, 2004\n\n\n    SUMMARY OF FINDINGS AND RECOMMENDATIONS\n  During FY 2004 DHS took corrective action to address many prior year IT control weaknesses.\n  However, also during FY 2004, we continued to find IT general control weaknesses at each Bureau.\n  The most significant weaknesses from a financial statement audit perspective relate to information\n  security (entity-wide security, access controls, and systems software). Collectively, the IT control\n  weaknesses limit DHS\xe2\x80\x99 ability to ensure that critical financial and operational data is maintained in\n  such a manner to ensure confidentiality, integrity, and availability. In addition, these weaknesses\n  negatively impact the internal controls over DHS financial reporting and its operation, and we\n  consider them to collectively represent a material weaknesses under standards established by the\n  AICPA.\n\n  Although we noted improvement, many of the conditions identified in FY 2003 have not been\n  corrected because DHS still faces challenges related to the merging of numerous entities that have\n  had their own IT functions, controls, processes, and overall organizational shortages. During FY\n  2004 DHS took steps to help address these conditions, such as restructuring DHS\xe2\x80\x99 Chief Information\n  Officer\xe2\x80\x99s role and function, improving its IT security program by completing DHS-wide training and\n  awareness sessions, continued having bi-weekly Information Systems Security Board (ISSB)\n  meetings, and awarding a contract for the Electronically Managing Enterprise Resources for\n  Government Efficiency and Effectiveness (EMERGE2) program, which will help consolidate IT\n  functions across DHS. In addition, during FY 2004, DHS implemented additional policies and\n  procedures related to IT controls. For example, DHS updated its Department of Homeland Security\n  Sensitive Systems Handbook Publication, which is intended to provide DHS organizational element\n  CIOs, Information Systems Security Managers (ISSMs) and Information Systems Security Officers\n  (ISSOs) with the necessary guidance to develop specific policies and procedures for their individual\n  application systems.\n\n  Despite these improvements, DHS needs further emphasis on the monitoring and enforcement of the\n  policies and procedures through the performance of periodic security control assessments and audits.\n  Further improvements are needed on implementing and enforcing a DHS-wide security certification\n  and accreditation (C&A) program, and technical security control training for system administrators\n  and security officers. Many of the technical issues identified during our review, which were also\n  identified during FY 2003, such as weak system access controls and the lack of contingency planning\n  strategies, can be addressed through a more effective security C&A program and security training\n  program.\n\nFINDINGS BY AUDIT AREA\n\n  Entity-Wide Security Program Planning and Management\n\n  During FY 2004 DHS improved its level of entity-wide security program planning and management.\n  For example, DHS implemented an enterprise-wide security C&A tool that provides the ability to\n  generate test plans that are mapped to DHS policy and ensure that policy compliance is actually tested\n  during the security test and evaluation phase of the C&A process. In addition, as noted earlier, DHS-\n  wide security training and awareness efforts were made. However, continued efforts are needed,\n  especially in the areas of program management related to the detection and monitoring of technical\n  information security weaknesses. Collectively, the identified entity-wide security planning and\n  management issues, coupled with the access control issues described later in this management\n\n                                                  2\n\x0c                               Department of Homeland Security\n                         Information Technology Management Comments\n                                      September 30, 2004\n\ncomment letter, reduce the overall effectiveness of the entity-wide security programs for the\nindividual DHS Bureaus, and the overall Department.\n\nConditions noted in FY 2004 regarding entity-wide security program planning and management at\nDHS and its Bureaus were:\n\n    \xe2\x80\xa2   EWS-4-01 \xe2\x80\x93 Despite the implementation of a security C&A tool, security C&A efforts were\n        still not completely implemented in such a manner to ensure the detection and prevention of\n        technical security weaknesses.\n    \xe2\x80\xa2   EWS-4-02 \xe2\x80\x93 Security training and awareness programs, especially those related to the\n        detection and prevention of technical weaknesses, can be improved.\n    \xe2\x80\xa2   EWS-4-03 \xe2\x80\x93 Security plans were incomplete, or otherwise did not meet requirements set forth\n        in Office of Budget and Management (OMB) Circular A-130, Management of Federal\n        Information Resources (e.g. Did not consistently document existing system security controls)\n    \xe2\x80\xa2   EWS-4-04 \xe2\x80\x93 Security risk assessments were not regularly performed and were not performed\n        consistently.\n\nRecommendations:\n\nEntity-wide security program planning and management controls should be in place to establish a\nframework and continuing cycle of activity to manage security risk, develop security policies, assign\nresponsibilities, and monitor the adequacy of computer security related controls. We recommend that\nthe DHS Chief Information Officer (CIO), in coordination with the CFO and other DHS functional\nleaders, continue efforts to fully implement a security program to ensure that:\n\n    a. Implementation and enforcement of the C&A program continues;\n    b. A DHS-wide security training and awareness program is designed and implemented\n       consistent with OMB and NIST guidance. A key focus of the training program should be on\n       the detection and prevention of technical weaknesses identified earlier in this management\n       letter;\n    c. Information security planning efforts follow applicable Federal guidance (OMB and NIST);\n    d. Security risk assessments are completed in a consistent manner per OMB and NIST guidance;\n       and\n    e. The above recommended entity-wide security efforts are implemented in a timely and\n       consistent manner throughout the agency.\n\nAccess Controls\n\nDuring FY 2004 we noted significant access control vulnerabilities with internal IT devices (i.e.,\ninside the Bureaus\xe2\x80\x99 firewalls). These are significant issues because personnel inside the organization\nwho best understand the organization\xe2\x80\x99s systems, applications, and business processes are able to make\nunauthorized access to some systems and applications. Some of the identified vulnerable devices are\nused for test and development purposes. In some cases, users are able to access test and development\ndevices with group passwords, system default passwords, or the same passwords with which they log\ninto production devices. As a result, test and development devices could be a target of\nhackers/crackers to obtain information (i.e., user password listings) that can be used to attempt further\naccess into DHS\xe2\x80\x99 IT environment.\n\n\n\n\n                                                 3\n\x0c                               Department of Homeland Security\n                         Information Technology Management Comments\n                                      September 30, 2004\n\nConditions noted in FY 2004 regarding access controls at DHS and its Bureaus were:\n\n    \xe2\x80\xa2   AC-4-01 \xe2\x80\x93 Instances of missing user passwords on key servers and databases, weak user\n        passwords, and weaknesses in user account management. Also, we noted several cases where\n        user accounts were not periodically reviewed for appropriateness, including authorizations to\n        use group user accounts and to identify excessive access privileges.\n    \xe2\x80\xa2   AC-4-02 \xe2\x80\x93 Instances where workstations, servers, or network devices were configured\n        without necessary security patches, or were not configured in the most secure manner. We\n        also identified many user accounts that were not configured for automatic log-off or account\n        lockout.\n\nRecommendations:\n\nIn close concert with an organization\xe2\x80\x99s entity-wide information security program, access controls for\ngeneral support systems and applications should provide reasonable assurance that computer\nresources such as data files, application programs, and computer-related facilities and equipment are\nprotected against unauthorized modification, disclosure, loss, or impairment. Access controls are\nfacilitated by an organization\xe2\x80\x99s entity-wide security program. Such controls include physical\ncontrols, such as keeping computers in locked rooms to limit physical access, and logical controls,\nsuch as security software programs designed to prevent or detect unauthorized access to sensitive\nfiles. Inadequate access controls diminish the reliability of computerized data and increase the risk of\ndestruction or inappropriate disclosure of information.\n\nWe recommend that the DHS CIO, in coordination with the OCFO and other DHS functional leaders:\n\n    a. Ensure that password controls meet DHS password requirements and are enforced on all\n       systems;\n    b. Implement a password account management process within the Bureaus to ensure the\n       periodic review of user accounts;\n    c. Design and implement a DHS-wide patch and security configuration process;\n    d. Implement a vulnerability assessment process, whereby systems are periodically reviewed for\n       security weaknesses; and\n    e. Include the output of these recommendations in the DHS C&A program.\n\nSystem Software\n\nWe noted weaknesses in programs designed to operate and control the processing activities of\ncomputer equipment. Weaknesses in this control area, closely linked to entity-wide security and\naccess controls, increase the likelihood that unauthorized individuals using system software could\ncircumvent security controls to read, modify, or delete critical or sensitive information and programs.\nAuthorized users of the system could gain unauthorized privileges to conduct unauthorized actions;\nand/or systems software could be used to circumvent edits and other controls built into application\nprograms.\n\nConditions noted regarding system software at DHS and its Bureaus were:\n\n    \xe2\x80\xa2   SS-4-01 \xe2\x80\x93 Instances where policies and procedures for restricting and monitoring access to\n        operating system software were not implemented, or were inadequate. In some cases, the\n        ability to monitor security logs did not exist.\n    \xe2\x80\xa2   SS-4-02 \xe2\x80\x93 Changes to sensitive operating system settings were not always documented.\n\n\n                                                 4\n\x0c                              Department of Homeland Security\n                        Information Technology Management Comments\n                                     September 30, 2004\n\nRecommendation: We recommend that the DHS CIO, in coordination with the OCFO and other\nDHS functional leaders, ensure that Bureau personnel comply with the established policies and\nprocedures for monitoring, use, and changes related to operating systems.\n\nSegregation of Duties\n\nDuring FY 2004, we continued to note instances where an individual controlled more than one critical\nfunction within a process, increasing the risk that erroneous or fraudulent transactions could be\nprocessed, improper program changes could be implemented, and computer resources could be\ndamaged or destroyed, without detection. Additionally, we noted a lack of segregation of duties\nbetween major operating and programming activities, including duties performed by users,\napplication programmers, and data center staff.\n\nConditions noted regarding segregation of duties at DHS and its Bureaus were:\n\n    \xe2\x80\xa2   SD-4-01 \xe2\x80\x93 Instances where individuals were able to perform incompatible functions, such as\n        the changing, testing, and implementing software, without sufficient compensating controls in\n        place.\n    \xe2\x80\xa2   SD-4-02 \xe2\x80\x93 Instances where key security positions were not defined or assigned, and\n        descriptions of positions were not documented or updated.\n\nRecommendations:\n\nWe recommend that the DHS CIO, in coordination with the OCFO and other DHS functional leaders,\nensure that:\n\n    a. Policies and procedures are developed and implemented to address segregation of duties for\n       IT and accounting functions; and\n    b. Responsibilities are documented so that incompatible duties are consistently separated. If this\n       is not feasible given the smaller size of certain functions, then sufficient compensating\n       controls, such as periodic peer reviews, should be implemented.\n\nService Continuity\n\nDuring FY 2004 we noted that DHS took some corrective actions to address IT control issues related\nto the back-up and protection of critical system data. In addition, the DHS OCIO implemented the\nuse of a Digital Dashboard that includes a continuity planning metric. This metric is based on the\npercentage of systems with business contingency plans and the percentage of business contingency\nplans that have been tested. Despite these improvements, weaknesses related to disaster recovery\nplans and business continuity plans continue to exist. These issues are important because losing the\ncapability to process, retrieve, and protect information maintained electronically can significantly\naffect an agency\xe2\x80\x99s ability to accomplish its mission.\n\nConditions noted regarding service continuity at DHS and its Bureaus were:\n\n    \xe2\x80\xa2   SC-4-01 \xe2\x80\x93 Several Bureaus had incomplete business continuity plans and systems with\n        incomplete disaster recovery plans. Some plans did not contain current system information,\n        emergency processing priorities, procedures for backup and storage, or other critical\n        information.\n\n                                               5\n\x0c                             Department of Homeland Security\n                       Information Technology Management Comments\n                                    September 30, 2004\n\n   \xe2\x80\xa2   SC-4-02 \xe2\x80\x93 Some Bureau service continuity plans were not consistently tested, and individuals\n       did not receive training on how to respond to emergency situations.\n\nRecommendations:\n\nWe recommend that the DHS CIO, in coordination with the OCFO and other DHS functional leaders:\n\n   a. Develop and implement complete business continuity plans and system disaster recovery\n      plans;\n   b. Perform bureau specific and DHS-wide testing of key service continuity capabilities; and\n   c. Design and Implement a DHS-wide service continuity training program..\n\nApplication Software Development and Change Control\n\nDuring FY 2004 we noted that DHS took corrective actions to address IT control issues related the\napplication software changes. However, we noted that in some cases the application software change\ncontrol documentation was still not consistent with Bureau systems development life cycle (SDLC)\nguidance.\n\n   \xe2\x80\xa2   ASDCC-4-01 \xe2\x80\x93 Software changes need to be documented in a more consistent manner.\n\nRecommendation:\n\n   a. We recommend that the DHS CIO, in coordination with the OCFO and other DHS functional\n      leaders, ensure that Bureaus improve documentation software changes to ensure compliance\n      with Bureau SDLC guidance.\n\nApplication Controls\n\nDuring FY 2004, we noted instances where application policies and procedures were not kept current,\nand incomplete verification of data input and output, including the reconciliation between\napplications was not consistently being performed. These issues are important because securing the\ncapability to input, process, reconcile, and retrieve information maintained electronically can\nsignificantly affect an agency\xe2\x80\x99s ability to accomplish its mission.\n\nConditions noted regarding application controls at DHS and its Bureaus were:\n\n   \xe2\x80\xa2   APC-4-01 \xe2\x80\x93 One bureau utilized an outdated application user guide of a key financial system.\n   \xe2\x80\xa2   APC-4-02 \xe2\x80\x93 Several bureaus\xe2\x80\x99 were not consistently performing verification of data input and\n       output, including the reconciliation of data between applications\n\nRecommendations:\n\nWe recommend that the DHS CIO, in coordination with the OCFO and other DHS functional leaders,\nensure that:\n\n   a. Bureaus keep input, processing and output control policy and procedures current; and\n   b. Perform regular period verification of data input and output, including the reconciliation\n       between applications.\n\n                                               6\n\x0c                                                           Appendix A\n\n                    Department of Homeland Security\n              Information Technology Management Comments\n                           September 30, 2004\n\n\n\n\n    Appendix A - Description of Financial Systems and IT\nInfrastructure within the Scope of the FY 2004 DHS Financial\n                       Statement Audit\n\n\n\n\n                                  7\n\x0c                                                                                          Appendix A\n\n                              Department of Homeland Security\n                        Information Technology Management Comments\n                                     September 30, 2004\n\n\nBelow is a description of significant DHS financial management systems and supporting IT\ninfrastructure included in the scope of the financial statement audit for the twelve months ended\nSeptember 30, 2004.\n\nUnited State Citizen and Immigration Services (USCIS)/Immigration and Customs Enforcement\n(ICE)\n\nLocations of Review: USCIS/ICE Headquarters in Washington, D.C., as well as offices in Texas,\nCalifornia, Vermont, and Nebraska.\n\nSystems Subject to Review:\n\n\xe2\x80\xa2   Federal Financial Management System (FFMS) \xe2\x80\x93 FFMS supports all USCIS/ICE core financial\n    processing. FFMS runs on an Oracle database. FFMS uses a Standard General Ledger (SGL) for\n    the accounting of agency financial transactions.\n\n\xe2\x80\xa2   Claims 3\xe2\x80\x93 Claims 3 is a database used to track pending applications, and is accessible by the\n    various USCIS service centers. Claims 3 contains totals of pending immigration applications (by\n    application type). The Claims 3 mainframe acts as a central repository for entering data into the\n    Claims 3 Local Area Network (LAN) via a daily upload process. The district offices do not have\n    direct access to the Claims 3 mainframe platform.\n\nUnited States Coast Guard\n\nLocations of Review: Coast Guard Headquarters in Washington, DC; the Aviation Repair and Supply\nCenter (ARSC) in Elizabeth City, North Carolina; the Coast Guard Finance Center (FINCEN) in\nChesapeake, Virginia; the Operations Supply Center (OSC) in Martinsburg, West Virginia; and the\nPersonnel Service Center (PSC) in Topeka, Kansas.\n\nSystems Subject to Review:\n\n\xe2\x80\xa2   Coast Guard Oracle Financials (CGOF) \xe2\x80\x93 CGOF is the core accounting system that records\n    financial transactions and generates financial statements for the Coast Guard. CGOF is hosted at\n    FINCEN, the Coast Guard\xe2\x80\x99s primary data center.\n\n\xe2\x80\xa2   Naval Electronics Supply Support System (NESSS) \xe2\x80\x93 Formerly named the Supply Center\n    Computer Replacement System (SCCR), NESSS is hosted at OSC. NESSS is the primary\n    financial application for the Engineering Logistics Command (ELC), the Supply Fund, and the\n    Yard fund. Also housed at OSC is the Fleet Logistics System (FLS), a web-based application\n    designed to automate the management of CG vessel logistics by supporting the following\n    functions: configuration, maintenance, supply and finance. In addition, OSC is responsible for\n    CMPlus, the central repository for activities associated with maintaining Coast Guard assets at the\n    unit level.\n\n\xe2\x80\xa2   Aircraft Logistics Management Information System\xe2\x80\x99s (ALMIS) \xe2\x80\x93 Hosted at the ARSC, ALMIS is\n    used to track and schedule aircraft maintenance and configuration, as well as provide support for\n    the procurement, inventory management, accounting, aircrew qualifications, flight operations, and\n                                                8\n\x0c                                                                                             Appendix A\n\n                               Department of Homeland Security\n                         Information Technology Management Comments\n                                      September 30, 2004\n\n    decision support functions for the ARSC and the 25 air stations. The Aviation Maintenance\n    Management Information System (AMMIS) is a component of ALIMS, and provides the ability\n    to track and schedule aircraft maintenance and configuration as well as provide support for\n    procurement, inventory management, and accounting.\n\nSeveral other key Coast Guard financial applications support military personnel and payroll, retired\npay, and travel claims. These applications are hosted at the PSC, which was formerly known as the\nHuman Resources Services and Information Center. These applications include the Personnel\nManagement Information System (PMIS) and the Joint Uniform Military Pay System (JUMPS). Also\nhoused at PSC is the PeopleSoft 8.3 Direct Access application, which is used by members for self-\nservice functions, including updating and viewing personal information.\n\nIn addition, the Coast Guard maintains hosts on the Internet in thirteen Internet Protocol (IP) address\nranges. Hosts within these ranges support various Web based applications, e-mail servers, and File\nTransfer Protocol (FTP) servers.\n\nUnited States Customs and Border Protection (CBP)\n\nLocations of Review: The CBP National Finance Center (NFC) in Indianapolis, Indiana and the\nNational Data Center (NDC) in Newington, Virginia.\n\nSystems Subject to Review:\n\n\xe2\x80\xa2   Asset Information Management System (AIMS) \xe2\x80\x93 AIMS is CBP's IBM mainframe-based financial\n    management system that supports primary financial accounting and reporting processes, and a\n    number of additional subsystems for specific operational and administrative management\n    functions. The core system consists of general ledger, accounts receivable,\n    disbursements/payables, purchasing, and budget execution accounts. AIMS is hosted on a\n    customized version of American Management Systems' software \xe2\x80\x93 Federal Financial System\n    (FFS).\n\n\xe2\x80\xa2   Automated Commercial System (ACS) \xe2\x80\x93 ACS is a collection of mainframe-based applications\n    used to track, control, and process all commercial goods, conveyances and private aircraft\n    entering the United States territory, for the purpose of collecting import duties, fees, and taxes\n    owed the Federal government.\n\n\xe2\x80\xa2   Seized Assets and Cases Tracking System (SEACATS) \xe2\x80\x93 Used for tracking seized assets, customs\n    forfeiture fund, and fines & penalties.\n\n\xe2\x80\xa2   SAP R/3 \xe2\x80\x93 SAP is a client/server-based financial management system that was implemented\n    during FY 2004 to ultimately replace the AIMS mainframe-based financial system (FFS) using a\n    phased approach. The SAP Materials Management module was implemented and utilized in FY\n    2004. Other SAP modules are to be implemented in FY 2005.\n\nCBP also maintains personnel, payroll, and scheduling systems.\n\n\n\n\n                                                  9\n\x0c                                                                                          Appendix A\n\n                              Department of Homeland Security\n                        Information Technology Management Comments\n                                     September 30, 2004\n\nDHS Consolidated\n\nLocation of Review: DHS Headquarters in Washington, D.C.\n\nSystems Subject to Review:\n\n\xe2\x80\xa2   Treasury Information Executive Repository (TIER) \xe2\x80\x93 The system of record for the DHS\n    consolidated financial statements is TIER. The DHS Bureaus update TIER on a monthly basis\n    with data extracted from their core financial management systems. TIER subjects Bureau\n    financial data to a series of validation and edit checks before it becomes part of the system of\n    record. Data cannot be modified directly in TIER, but must be resubmitted as an input file.\n\n\xe2\x80\xa2   CFO Vision \xe2\x80\x93 CFO Vision interfaces with TIER, and is used for the consolidation of the financial\n    data and the preparation of the DHS financial statements.\n\nThe TIER and CFO Vision applications reside on the Department of Treasury\xe2\x80\x99s (Treasury) network\nand are administered by Treasury. Treasury is responsible for the administration of the TIER\nWindows NT server, Oracle 8i database, and the TIER and CFO Visions applications. The DHS\nOffice of Financial Management (OFM) is responsible for the administration of user accounts within\nthe TIER and CFO Vision applications.\n\nEmergency Preparedness and Response (EPR)\nLocations of Review: Federal Emergency Management Agency (FEMA) Headquarters in\nWashington, D.C., and the Mount Weather Emergency Assistance Center (MWEAC) in Bluemont,\nVirginia.\n\nSystems Subject to Review:\n\n\xe2\x80\xa2   Integrated Financial Management Information System (IFMIS) \xe2\x80\x93 IFMIS is the key financial\n    reporting system, and has several feeder subsystems (budget, procurement, accounting, and other\n    administrative processes and reporting).\n\n\xe2\x80\xa2   National Emergency Management Information System (NEMIS) \xe2\x80\x93 NEMIS is an integrated system\n    to provide FEMA, the States, and certain other Federal agencies with automation to perform\n    disaster related operations. NEMIS support all phases of emergency management, and provides\n    financial related data to IFMIS via an automated interface.\n\nLimited Scope\n\nLocations of Review: We performed follow-up on a FY 2003 finding at the Federal Law\nEnforcement Training Center (FLETC) Headquarters in Glynco, Georgia.\n\nSystems Subject to Review:\n\nThe Momentum Financial System is FLETC\xe2\x80\x99s core computerized system that processes financial\ndocuments generated by various FLETC divisions in support of procurement, payroll, budget and\naccounting activities.\n\n\n\n                                                10\n\x0c                                                                                         Appendix A\n\n                              Department of Homeland Security\n                        Information Technology Management Comments\n                                     September 30, 2004\n\n\nOffice of State and Local Government Coordination and Preparedness (SLGCP, formerly the\nOffice for Domestic Preparedness)\n\nLocation of Review: SLGCP Headquarters in Washington, D.C.\n\nSystems Subject to Review:\n\nSLGCP\xe2\x80\x99s IT platforms are hosted and supported by the Department of Justice\xe2\x80\x99s Office of Justice\nPrograms (OJP). The following is a list of key financial related applications supporting SLGCP.\n\n\xe2\x80\xa2   IFMIS (same application as FEMA, but hosted at OJP) \xe2\x80\x93 IFMIS consists of five modules that\n    include: budget, cost posting, disbursement, general ledger, and accounts receivable. Users\n    access the system through individual workstations that are installed throughout SLGCP and OJP.\n    The current IFMIS version does not have the ability to produce external federal financial reports\n    (i.e., SF132 and SF133) and financial statements. IFMIS was updated in February 2002 with the\n    version certified by the Joint Financial Management Improvement Program (JFMIP).\n\n\xe2\x80\xa2   Grants Management System (GMS) \xe2\x80\x93 GMS supports the SLGCP grant management process\n    involving the receipt of grant applications and grant processing activities. GMS is divided into\n    two logical elements. There is a grantee and an administration element within the system. The\n    grantee component provides the Internet interface and functionality required for all of the\n    grantees to submit grant applications on-line. The second component, the administration\n    component, provides SLGCP/OJP personnel the tools required to store, process, track and\n    ultimately make decisions about the applications submitted by the grantee. This system does not\n    interface directly with IFMIS.\n\n\xe2\x80\xa2   Line of Credit Electronic System (LOCES) \xe2\x80\x93 The LOCES allows recipients of SLGCP funds to\n    electronically request payment from OJP on one day and receive a direct deposit to their bank for\n    the requested funds usually on the following day. Batch information containing draw down\n    transaction information from LOCES is transferred to IFMIS. The IFMIS system then interfaces\n    with Treasury to transfer payment information to Treasury, resulting in a disbursement of funds\n    to the grantee.\n\n\xe2\x80\xa2   Paperless Request System (PAPRS) \xe2\x80\x93 This system allows grantees to access their grant funds.\n    The system includes a front and back end application. The front-end application provides the\n    interface where grantees make their grant requests. The back end application is primarily used by\n    accountants and certifying officials. The back end application also interfaces with the IFMIS\n    application. Batch information containing draw down transaction information from PAPRS is\n    interfaced with IFMIS. The IFMIS system then interfaces with Treasury to transfer payment\n    information to Treasury, resulting in a disbursement of funds to the grantee.\n\n\xe2\x80\xa2   SF 269 Web Based System \xe2\x80\x93 The web based system enables authorized users to view grant\n    information, view previously submitted SF269\xe2\x80\x99s, and submit quarterly SF269\xe2\x80\x99s online. SF 269\n    web-based system is interfaced to the PAPRS and LOCES payment system.\n\nSLGCP currently provides state and local agencies with grant funding services to acquire specialized\nresponse equipment, emergency responder training and technical assistance, and support to plan and\n                                               11\n\x0c                                                                                          Appendix A\n\n                              Department of Homeland Security\n                        Information Technology Management Comments\n                                     September 30, 2004\n\nconduct exercises tailored to the circumstances of the jurisdiction. Starting July 2004, SLGCP who\ncurrently relied on OJP for their network and IT platform support of applications; will begin to\nmigrate all support over to the Department of Homeland Security. The plan for the transfer of all\nSLGCP functions to DHS will not be fully completed until January 2005. Currently the only SLGCP\napplication that is supported fully by DHS is the Data Collection Toolkit. This application was\npreviously hosted through OJP; now a third party contractor is hosting the application in Dallas,\nTexas.\n\nTransportation Security Administration (TSA)\n\nLocations of Review: TSA Headquarters in Washington, D.C. and the DOT data center in Oklahoma\nCity, Oklahoma. TSA\xe2\x80\x99s financial applications are hosted on DOT IT platforms.\n\nSystems Subject to Review:\n\n\xe2\x80\xa2   Consolidated Uniform Payroll System (CUPS) \xe2\x80\x93 CUPS maintains TSA payroll data, calculates\n    pay, wages, tax information and maintains service history and separation records. CUPS\n    interfaces with the Integrated Personnel and Payroll System (IPPS), Little IPPS, CUPS National,\n    CPMIS, DELPHI, and also receives other data inputs. CUPS is a mainframe application.\n\n\xe2\x80\xa2   Consolidated Personnel Management Information System (CPMIS) \xe2\x80\x93 CPMIS is the DOT\n    personnel management system. The system processes and tracks personnel actions and employee\n    related data for TSA, including employee elections for the Thrift Savings Plan (TSP), life\n    insurance, and health insurance as well as training data and general employee information (i.e.\n    name, address, etc.). CPMIS is also used to maintain information related to budget, training, civil\n    rights, labor relations and security. CPMIS is a mainframe application. CPMIS interfaces with\n    CUPS to allow CUPS to perform the calculation of pay, time and attendance reporting, leave\n    accounting, and wage and tax reporting. CUPS also uses the information received from CPMIS to\n    initiate payroll deductions for TSP, insurances, Combined Federal Campaign contributions, and\n    savings bonds.\n\n\xe2\x80\xa2   Integrated Personnel And Payroll System (IPPS) \xe2\x80\x93 IPPS processes requests for personnel action,\n    training enrollments, and time and attendance information. IPPS interfaces with CPMIS and\n    CUPS to receive time and attendance and payroll information. IPPS also interfaces with the IPPS\n    Management and Reporting (MIR) system. MIR is a client/server system that provides reporting\n    capability through an Oracle database.\n\n\xe2\x80\xa2   Delphi \xe2\x80\x93 Delphi is the TSA core financial management system, which provides accounts payable,\n    accounts receivable, general ledger, and budgeting functionality. Delphi is Oracle based and is a\n    commercial off\xe2\x80\x93the\xe2\x80\x93shelf (COTS) software package that is certified to meet government\n    accounting needs.\n\n\n\n\n                                                12\n\x0c                                                             Appendix B\n\n                      Department of Homeland Security\n                Information Technology Management Comments\n                             September 30, 2004\n\n\n\n\nAppendix B \xe2\x80\x93 FY 2004 Notice of IT Findings and Recommendations\n            - Detail by DHS Organizational Element\n\n\n\n\n                                   13\n\x0c                                                        Appendix B\n\n                 Department of Homeland Security\n           Information Technology Management Comments\n                        September 30, 2004\n\n\n\n\n           Department of Homeland Security\n            FY2004 Information Technology\nNotification of Findings and Recommendations \xe2\x80\x93 Detail\n\n\n      Citizenship and Immigration Services\n\n      Immigration and Customs Enforcement\n\n\n\n\n                              14\n\x0c                                                                                                     Appendix B\n\n                                       Department of Homeland Security\n                                 Information Technology Management Comments\n                                              September 30, 2004\n\n                                     Department of Homeland Security\n                                      FY2004 Information Technology\n                          Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n           Citizenship and Immigration Services / Immigration and Customs Enforcement\n\n                                                                                             Disposition\n                                                                                          Material Weakness\n NFR #                   Condition                       Recommendation\n                                                                                         (MW) or Management\n                                                                                           Comment (MC)\n            (b)(2)High                                                                          MW\n            (b)(2)High\n\nCIS-4-09\n\n\n                                                                                                MW\n\nCIS-4-10\n\n\n                                                                                                MW\n\nCIS-4-19\n\n\n                                                                                                MC\n\nCIS-4-21\n\n\n\n                                                                                                MW\n             The site C&A package for the\n                                                ensure critical systems are accredited\nCIS-4-27     California Service Center has\n                                                every three years or consider issuing\n             expired.\n                                                an interim accreditation.\n                                                Implement stronger password                     MW\n             Access control weaknesses were     management requirements, regularly\nICE-4-17     identified in the Federal          review access logon attempts, and\n             Financial Management System.       educate users on password best\n                                                practices.\n             CIS/ICE does not have                                                              MW\n             procedures in place to\n             periodically review System Time    Document and implement policies\nCIS/ ICE\n             and Attendance Report (STAR)       and procedures to perform a periodic\n  4-18\n             user access lists and could not    review of STAR user accounts.\n             provide a list of all authorized\n             STAR users upon request.\n\n\n\n\n                                                          15\n\x0c                                                        Appendix B\n\n                 Department of Homeland Security\n           Information Technology Management Comments\n                        September 30, 2004\n\n\n\n\n           Department of Homeland Security\n            FY2004 Information Technology\nNotification of Findings and Recommendations \xe2\x80\x93 Detail\n\n\n             Customs and Border Protection\n\n\n\n\n                              16\n\x0c                                                                                      Appendix B\n\n                                    Department of Homeland Security\n                              Information Technology Management Comments\n                                           September 30, 2004\n\n                                   Department of Homeland Security\n                                    FY2004 Information Technology\n                        Notification of Findings and Recommendations - Detail\n                                    Customs and Border Protection\n\n                                                                              Disposition -\n                                                                       Material Weakness (MW) or\n NFR #                 Condition                Recommendation\n                                                                        Management Comment\n                                                                                 (MC)\n           (b)(2)High, (b)\n\n\n           (b)(2)High, (b)\n\nCBP-4-01                                                                         MW\n\n\n\n\nCBP-4-02                                                                         MW\n\n\n\n\nCBP-4-03                                                                         MW\n\n\n\n\nCBP-4-04                                                                         MW\n\n\n\n\n                                                 17\n\x0c                                                                                                    Appendix B\n\n                                      Department of Homeland Security\n                                Information Technology Management Comments\n                                             September 30, 2004\n\n                                                                                            Disposition -\n                                                                                     Material Weakness (MW) or\n NFR #                  Condition                       Recommendation\n                                                                                      Management Comment\n                                                                                               (MC)\n           (b)(2)High\n           (b)(2)High\nCBP-4-05                                                                                       MW\n\n\n\n\nCBP-4-06                                                                                       MW\n\n\n\n                                                 all field sites, continue to\n                                                 develop a formal site selection\n           Weaknesses in the C&A process at\nCBP-4-07                                         plan that prioritizes sites by                MW\n           field sites.\n                                                 criticality, and resolve common\n                                                 issues in the corrective action\n                                                 plan.\n           Improvements are needed in            Coordinate with DHS in\n           system logical access controls over   developing enterprise-wide\nCBP-4-08   network assets affecting              solutions for improving network               MW\n           headquarters and the National Data    and host-based system logical\n           Center.                               access controls.\n                                                 Complete efforts to identify all\n           Interconnection Security              trading partners where ISAs\n           Agreements (ISA) are not              have not been formally\nCBP-4-09                                                                                       MW\n           documented for 92 partners that       documented and approved, and\n           connect with ACS.                     complete ISAs for identified\n                                                 (b)(2)High\n           (b)(2)High\n\n\n\nCBP-4-10                                                                                       MC\n\n\n           Weaknesses with the SAP R/3           Update the SAP R/3 Release 2\nCBP-4-11                                                                                       MC\n           Release 2 Risk Assessment.            Risk Assessment as appropriate.\n                                                 Remove unnecessary privileges,\n           Improvements needed in restricting\n                                                 base access on the principles of\n           access to sensitive system level\n                                                 least privilege, and consider use\nCBP-4-12   transactions through the On-Line                                                    MW\n                                                 of a temporary account for\n           Transaction Processing System\n                                                 privileges infrequently required\n           Security (CICS).\n                                                 by users.\n                                                 Take action to mitigate the\n                                                 segregation of duties violations\n           SAP R/3 Release 2 segregation of\n                                                 identified or accept the risk of\nCBP-4-13   duties issues were identified with                                                  MW\n                                                 the issue, in which case\n           several users.\n                                                 additional documentation is\n                                                 required.\n\n\n\n\n                                                         18\n\x0c                                                                                                    Appendix B\n\n                                      Department of Homeland Security\n                                Information Technology Management Comments\n                                             September 30, 2004\n\n                                                                                            Disposition -\n                                                                                     Material Weakness (MW) or\n NFR #                 Condition                        Recommendation\n                                                                                      Management Comment\n                                                                                               (MC)\n                                                 Implement access controls over\n           The incident handling and response    incident response tickets,\n           capability needs improvement          develop a risk-based approach to\nCBP-4-14   regarding incident detection and      responding to incidents, ensure               MC\n           initiation, response, recovery, and   workstation compliance, and\n           closure.                              develop a standard real-time\n                                                 automated reporting process.\n                                                 Train all personnel responsible\n           Audit logs are not appropriately\n                                                 for reviewing audit logs on\nCBP-4-15   monitored for the SAP R/3 Release                                                   MW\n                                                 specific requirements for the\n           2.\n                                                 task.\n           Weaknesses in the access control      Consistently document\nCBP-4-16   process for the SAP R/3 Release 2     authorizations to SAP for all                 MW\n           Materials Management.                 users.\n           System access, user account\n                                                 Implement policies and\n           management, and configuration\n                                                 procedures to address the access\nCBP-4-17   weaknesses identified with the                                                      MW\n                                                 control and configuration\n           SAP general controls environment\n                                                 weaknesses identified.\n           for materials management module.\n                                                 Remove unnecessary privileges,\n           Least privilege principles are not    base access on the principles of\n           appropriately enforced for            least privilege, and consider use\nCBP-4-18                                                                                       MW\n           mainframe user groups\xe2\x80\x99 access to      of a temporary account for\n           sensitive datasets/utilities.         privileges infrequently required\n                                                 by users.\n\n\n\n\n                                                         19\n\x0c                                                        Appendix B\n\n                 Department of Homeland Security\n           Information Technology Management Comments\n                        September 30, 2004\n\n\n\n\n           Department of Homeland Security\n            FY2004 Information Technology\nNotification of Findings and Recommendations \xe2\x80\x93 Detail\n\n\n                United States Coast Guard\n\n\n\n\n                              20\n\x0c                                                                                                  Appendix B\n\n                                     Department of Homeland Security\n                               Information Technology Management Comments\n                                            September 30, 2004\n\n                                   Department of Homeland Security\n                                    FY2004 Information Technology\n                        Notification of Findings and Recommendations - Detail\n                                       United States Coast Guard\n\n                                                                                          Disposition\n                                                                                  Material Weakness (MW) or\nNFR #                  Condition                     Recommendation\n                                                                                   Management Comment\n                                                                                             (MC)\n          (b)(2)High\n\n\n          (b)(2)High\nCG-4-01                                                                                     MW\n\n\n\n                                              Review and update the FPD\n                                              User Guide and develop a policy\n          The Finance and Procurement\n                                              to ensure that application\nCG-4-02   Desktop (FPD) User Guide is                                                       MC\n                                              documentation is reviewed and\n          outdated.\n                                              updated regularly or when\n                                              changes occur.\n                                              Determine DHS status on\n          Comprehensive policies for          publishing a policy on\n          conducting personnel suitability    background checks and\n          investigations or records to        suitability requirements and,\nCG-4-03                                                                                     MC\n          support the results of personnel    subsequent to this policy,\n          suitability investigations do not   document, and enforce\n          exist.                              procedures to ensure compliance\n                                              (b)(2)High\n          (b)(2)High\n\n\n\n\nCG-4-04                                                                                     MW\n\n\n\n\n                                              Develop policies and procedures\n          procedures to restrict access to\n                                              to address access and monitoring\n          the UNIX operating system and\n                                              in the UNIX operating system\nCG-4-05   for monitoring access. No                                                         MW\n                                              environment and periodically\n          periodic reviews to determine if\n                                              test the effectiveness of current\n          current monitoring is functioning\n                                              monitoring procedures.\n          as intended.\n\n\n\n\n                                                        21\n\x0c                                                                                                  Appendix B\n\n                                     Department of Homeland Security\n                               Information Technology Management Comments\n                                            September 30, 2004\n\n                                                                                          Disposition\n                                                                                  Material Weakness (MW) or\nNFR #                Condition                      Recommendation\n                                                                                   Management Comment\n                                                                                             (MC)\n                                             Develop change control policies\n          Weaknesses associated with the     and procedures and retain all risk\nCG-4-06   UNIX system software change        assessment and testing                         MW\n          control process.                   documentation to provide an\n                                             audit trail for changes.\n          (b)(2)High\n           (b)(2)High\n\n\nCG-4-07                                                                                     MW\n\n\n\n\nCG-4-08                                                                                     MW\n\n\n\n\nCG-4-09                                                                                     MW\n\n\n\n          The security plans for the Naval\n          Electronics Supply Support         Complete the security plans in\nCG-4-10                                                                                     MW\n          System (NESSS) and FLS are         compliance with criteria.\n          not in compliance with criteria.\n           (b)(2)High\n          (b)(2)High\n\n\n\n\nCG-4-11                                                                                     MW\n\n\n\n                                             Complete the OSC disaster\n          The Operations Service Center\n                                             recovery plan to include Coast\nCG-4-12   (OSC) has not implemented a                                                       MW\n                                             Guard-wide disaster recovery\n          disaster recovery plan.\n                                             planning.\n                                             Implement policies and\n          Entity wide security program       procedures and complete\nCG-4-13   planning is not in place for the   documentation as necessary to                  MC\n          Personnel Service Center (PSC).    develop entity wide security\n                                             program planning for the PSC.\n\n                                                       22\n\x0c                                                                                                 Appendix B\n\n                                     Department of Homeland Security\n                               Information Technology Management Comments\n                                            September 30, 2004\n\n                                                                                         Disposition\n                                                                                 Material Weakness (MW) or\nNFR #                  Condition                     Recommendation\n                                                                                  Management Comment\n                                                                                            (MC)\n                                              Complete a PSC Business\n                                              Recovery Plan (BRP) including\n          Weaknesses exist regarding PSC\n                                              all necessary components, and\nCG-4-14   service continuity and resource                                                  MW\n                                              move the computer room to a\n          classifications.\n                                              more environmentally controlled\n                                              environment.\n          Weaknesses were identified at\n                                              Evaluate and ensure password\n          PSC relating to weak password\n                                              compliance, implement\n          settings, lack of monitoring of\n                                              account/access maintenance and\nCG-4-15   access lists or changes to                                                       MW\n                                              monitoring procedures, and\n          security profiles, and lack of\n                                              implement monitoring of\n          policies for monitoring operating\n                                              operating system software.\n          system software.\n                                              Determine the sensitivity of\n                                              positions supporting critical IT\n          Documented procedures do not        systems and applications and\nCG-4-16   exist at PSC to enforce             implement segregation of duties              MW\n          segregation of duties principles.   or background screening to\n                                              mitigate the risks created by\n                                              (b)(2)High\n          (b)(2)High\n\n\nCG-4-17                                                                                    MW\n\n\n\nCG-4-18                                                                                    MW\n\n\n\nCG-4-19                                                                                    MW\n\n\n\nCG-4-20                                                                                    MW\n\n\n\n\nCG-4-21                                                                                    MW\n\n\n\n\nCG-4-22                                                                                    MW\n\n\n\n\n                                                        23\n\x0c                                                                                                  Appendix B\n\n                                     Department of Homeland Security\n                               Information Technology Management Comments\n                                            September 30, 2004\n\n                                                                                          Disposition\n                                                                                  Material Weakness (MW) or\nNFR #                Condition                      Recommendation\n                                                                                   Management Comment\n                                                                                             (MC)\n           (b)(2)High\n          (b)(2)High\n\n\n\n\nCG-4-23                                                                                     MW\n\n\n\n                                             Continue developing the\n          Implementation and                 implementation and\n          management oversight of Coast      management oversight functions\nCG-4-24                                                                                     MC\n          Guard\xe2\x80\x99s information security       and responsibilities for the Coast\n          program remains fragmented.        Guard information security\n                                             program.\n                                             Modify CheckFree code to\n          Interface controls do not ensure   include null values to maintain\n          that record counts match as data   data integrity. Until system\nCG-4-25                                                                                     MC\n          is transferred from CGOF into      controls are implemented,\n          CheckFree.                         develop manual compensating\n                                             controls.\n          Three of the four Database\n                                             Separate the critical roles of\n          Administrators at FINCEN also\nCG-4-26                                      Database Administrator and                     MW\n          have System Administrator\n                                             System Administrator.\n          rights and responsibilities.\n\n\n\n\n                                                        24\n\x0c                                                        Appendix B\n\n                 Department of Homeland Security\n           Information Technology Management Comments\n                        September 30, 2004\n\n\n\n\n           Department of Homeland Security\n            FY2004 Information Technology\nNotification of Findings and Recommendations - Detail\n\n\n         Emergency Preparedness and Response\n\n\n\n\n                              25\n\x0c                                                                                                     Appendix B\n\n                                        Department of Homeland Security\n                                  Information Technology Management Comments\n                                               September 30, 2004\n\n                                    Department of Homeland Security\n                                     FY2004 Information Technology\n                         Notification of Findings and Recommendations - Detail\n\n                                   Emergency Preparedness and Response\n\n                                                                                               Disposition\n                                                                                         Material Weakness (MW)\nNFR #                 Condition                          Recommendation\n                                                                                         or Management Comment\n                                                                                                  (MC)\n          Policies and procedures do not        Develop and implement policies and\nEPR-4-\n          exist to perform period review of     procedures regarding review of                    MW\n  11\n          IFMIS user access lists.              IFMIS user access lists.\n          (b)(2)High\n         (b)(2)High\n\n\nEPR-4-\n                                                                                                  MW\n  16\n\n\n\n\nEPR-4-\n                                                                                                  MC\n  17\n\n\n\n\n          processes for ensuring that all       Periodically review user accounts\nEPR-4-    general support system and            and update termination policies and\n                                                                                                  MW\n  18      application access, including         procedures to ensure compliance\n          NEMIS, is timely removed for          with criteria.\n          terminated employees.\n                                                Allocate sufficient resources towards\n          Seven critical systems do not have\nEPR-4-                                          completing C&As and continue to\n          a certification and accreditation                                                       MW\n  19                                            meet the timelines established in the\n          (C&A).\n                                                FEMA Remediation Plan.\n                                                Document and implement a process\n          No documented process for\nEPR-4-                                          for communicating passwords to\n          generating or communicating new                                                         MW\n  20                                            users and update the Instruction\n          or reset IFMIS passwords to users.\n                                                2200.7 as appropriate.\nEPR-4-    IFMIS Table audit trail data is not   Perform and document review of\n                                                                                                  MW\n  21      reviewed periodically.                critical IFMIS Table audit trail data.\n          Insufficient documentation exists     Strengthen system documentation\nEPR-4-    to fully explain IFMIS functions      supporting the description of IFMIS\n                                                                                                  MC\n  22      and user access capabilities          user functions and their associated\n          (b)(2)High\n         (b)(2)High\n\nEPR-4-\n                                                                                                  MW\n  23\n\n\n                                                          26\n\x0c                                                                                                      Appendix B\n\n                                       Department of Homeland Security\n                                 Information Technology Management Comments\n                                              September 30, 2004\n\n                                                                                                Disposition\n                                                                                          Material Weakness (MW)\nNFR #                Condition                           Recommendation\n                                                                                          or Management Comment\n                                                                                                   (MC)\n          (b)(2)High\n         (b)(2)High\n\nEPR-4-\n                                                                                                   MW\n  24\n\n\n\nEPR-4-\n                                                                                                   MW\n  25\n\n\n\n         and Collection System (IPAC\n         provides for interagency billings     We recommend that EPR ensure that\n         and payments for supplies and         there is a clear indication of the level\nEPR-4-\n         services. Of five IPAC User           of IPAC access requested for any                    MC\n  28\n         Request Forms selected for testing,   EPR employees granted access to\n         we noted one form on which the        IPAC.\n         employee\xe2\x80\x99s access was not\n         specifically indicated.\n         The Continuity of Operations          Finalize and obtain management\nEPR-4-\n         Plans (COOP) for IFMIS and            approval of the COOP plans and then                 MW\n  32\n         NEMIS are in draft.                   periodically test the plans.\n                                               Establish interagency agreements for\n         Mt. Weather has not documented\n                                               alternate data processing and\n         interagency agreements for\nEPR-4-                                         telecommunication facilities in the\n         alternate data processing and                                                             MC\n  35                                           event of a disaster and include\n         telecommunication facilities in the\n                                               agreement in the COOP once it is\n         event of a disaster.\n                                               implemented.\n         FEMA has not prioritized its          Identify and document all resources\n         critical data and operations,         supporting critical operations,\n         emergency processing priorities       develop priorities of systems, data\nEPR-4-\n         and procedures have not been          and operations to be recovered in the               MW\n  39\n         documented, and all resources         event of a disaster, and document\n         supporting critical operations have   information in the Project Step\n         not been identified.                  Matrix 1 Report.\n\n\n\n\n                                                          27\n\x0c                                                        Appendix B\n\n                 Department of Homeland Security\n           Information Technology Management Comments\n                        September 30, 2004\n\n\n\n\n           Department of Homeland Security\n            FY2004 Information Technology\nNotification of Findings and Recommendation \xe2\x80\x93 Detail\n\n\nLimited Scope \xe2\x80\x93 Federal Law Enforcement Training Center\n\n\n\n\n                              28\n\x0c                                                                                             Appendix B\n\n                                     Department of Homeland Security\n                               Information Technology Management Comments\n                                            September 30, 2004\n\n                                 Department of Homeland Security\n                                  FY2004 Information Technology\n                      Notification of Findings and Recommendations -Detail\n                    Limited Scope \xe2\x80\x93 Federal Law Enforcement Training Center\n\n                                                                                      Disposition\nNFR #              Condition                      Recommendation              Material Weakness (MW) or\n                                                                              Management Comment (MC)\n         Incident response policies and\n         procedures are not in place      Develop, finalize, and maintain\nLTD-4-\n         and/or finalized for the FLETC   incident response capabilities in             MC\n  01\n         Momentum Financial System        accordance with criteria.\n         (MFS).\n\n\n\n\n                                                      29\n\x0c                                                        Appendix B\n\n                 Department of Homeland Security\n           Information Technology Management Comments\n                        September 30, 2004\n\n\n\n\n           Department of Homeland Security\n            FY2004 Information Technology\nNotification of Findings and Recommendations \xe2\x80\x93 Detail\n\n\n                         Consolidated\n\n\n\n\n                              30\n\x0c                                                                                                 Appendix B\n\n                                      Department of Homeland Security\n                                Information Technology Management Comments\n                                             September 30, 2004\n\n                                  Department of Homeland Security\n                                   FY2004 Information Technology\n                       Notification of Findings and Recommendations - Detail\n                                             Consolidated\n\n                                                                                          Disposition\nNFR #             Condition                        Recommendation                 Material Weakness (MW) or\n                                                                                  Management Comment (MC)\n        Excessive Treasury\n        Information Executive\n                                           Reevaluate TIER user privileges\n        Repository (TIER) system\n                                           and restrict user account privileges\n        privileges were granted and a\n                                           to the minimum necessary to\nCONS-   documented process does not\n                                           perform job duties, and document a               MC\n 4-01   exist to notify TIER\n                                           process to timely notify TIER\n        application administrators of\n                                           administrators of user termination\n        user termination or transfer for\n                                           or transfer.\n        timely removal of system\n        access.\n        The interagency agreement\n        between DHS and Treasury\n        regarding use of TIER and the      Ensure that the interagency\n        related reporting tool (CFO        agreement for TIER and CFO\nCONS-   Vision) does not describe the      Vision clearly specify the\n                                                                                            MC\n 4-02   information security controls      information security controls to be\n        that need to be implemented        maintained by Treasury, consistent\n        and managed by the data            with criteria.\n        owner (DHS) or the system\n        operator (Treasury).\n        Lack of compliance with\n        FISMA in the areas of access\n                                           Ensure timely submission of\n        controls, entity-wide security\nCONS-                                      FISMA reports to OMB and\n        program planning and                                                                MW\n 4-03                                      implement stronger controls in all\n        management, system software,\n                                           identified areas.\n        segregation of duties, and\n        service continuity.\n\n\n\n\n                                                         31\n\x0c                                                        Appendix B\n\n                 Department of Homeland Security\n           Information Technology Management Comments\n                        September 30, 2004\n\n\n\n\n           Department of Homeland Security\n            FY2004 Information Technology\nNotification of Findings and Recommendations - Detail\n\n\n Office of State and Local Government Coordination and\nPreparedness (SLGCP, formerly the Office for Domestic\n                     Preparedness)\n\n\n\n\n                              32\n\x0c                                                                                                    Appendix B\n\n                                      Department of Homeland Security\n                                Information Technology Management Comments\n                                             September 30, 2004\n\n                               Department of Homeland Security\n                                FY2004 Information Technology\n                    Notification of Findings and Recommendations - Detail\n  Office of State and Local Government Coordination and Preparedness (SLGCP, formerly\n                             the Office for Domestic Preparedness)\n\n                                                                                                  Disposition\n                                                                                            Material Weakness (MW)\nNFR #                 Condition                            Recommendation\n                                                                                            or Management Comment\n                                                                                                     (MC)\n         A system owner and security\n                                                 Assign the appropriate personnel to the\nSLGCP-   manager has not been identified to\n                                                 system owner and security manager                   MC\n 4-05    track background investigations and\n                                                 positions.\n         personnel clearances.\n         A Service Level Agreement (SLA) is\n                                                 Document, approve, and maintain an\nSLGCP-   not in place with the third party\n                                                 SLA with the third party hosting the                MC\n 4-06    hosting the Data Collection Toolkit\n                                                 DCT.\n         (DCT).\n                                                 Develop and implement policies and\n                                                 procedures relating to IT security\nSLGCP-   A documented security awareness\n                                                 awareness training and ensure that IT               MC\n 4-07    training program is not in place.\n                                                 personnel receive the proper training to\n                                                 perform job duties.\n                                                 Document segregation of duties\n                                                 policies and procedures for SLGCP\n         Segregation of duties is not properly\n                                                 information system functions and\nSLGCP-   enforced and documented policies\n                                                 create and information systems                      MW\n 4-08    outlining segregation of duties\n                                                 department responsible for security and\n         controls or procedures do not exist.\n                                                 network administration of SLGCP\n                                                 (b)(2)High\n         (b)(2)High\n\n\n\n\nSLGCP-\n                                                                                                     MW\n 4-09\n\n\n\n\n                                                 methods for improving the process to\n         Application user accounts are not       notify the security officer that an\nSLGCP-\n         removed in a timely manner after        SLGCP employee or contractor has                    MW\n 4-10\n         user separation.                        been transferred or has terminated\n                                                 employment and longer requires system\n                                                 access.\n                                                 Allocate sufficient funds to complete\nSLGCP-   A C&A does not exist for the SF 269     the necessary documentation and\n                                                                                                     MW\n 4-22    web based system.                       perform a C&A on the SF 269 web\n                                                 based system.\n\n\n\n\n                                                         33\n\x0c                                                                                                      Appendix B\n\n                                      Department of Homeland Security\n                                Information Technology Management Comments\n                                             September 30, 2004\n\n                                                                                                    Disposition\n                                                                                              Material Weakness (MW)\nNFR #                 Condition                              Recommendation\n                                                                                              or Management Comment\n                                                                                                       (MC)\n         The reconciliation process for\n         financial transactions that occurred     Develop a process to monitor, record,\nSLGCP-   between IFMIS and the SF 269 web         and track the financial transactions that\n                                                                                                       MC\n 4-25    based system was not fully               occur between IFMIS and the SF 269\n         implemented throughout the fiscal        web based system.\n         year.\n                                                  Develop a policy to explain in detail\n         The SF 269 web based system              the methods for audit logging and\nSLGCP-   captured transactions but did not        monitoring, maintain clear records of\n                                                                                                       MW\n 4-26    capture user activity for three months   system audit logs, and document,\n         of the fiscal year.                      investigate, and close any questionable\n                                                  events.\n\n\n\n\n                                                          34\n\x0c                                                        Appendix B\n\n                 Department of Homeland Security\n           Information Technology Management Comments\n                        September 30, 2004\n\n\n\n\n           Department of Homeland Security\n            FY2004 Information Technology\nNotification of Findings and Recommendations \xe2\x80\x93 Detail\n\n\n         Transportation Security Administration\n\n\n\n\n                              35\n\x0c                                                                                                   Appendix B\n\n                                      Department of Homeland Security\n                                Information Technology Management Comments\n                                             September 30, 2004\n\n                                   Department of Homeland Security\n                                    FY2004 Information Technology\n                        Notification of Findings and Recommendations - Detail\n                                Transportation Security Administration\n\n                                                                                            Disposition\n NFR #                Condition                       Recommendation                Material Weakness (MW) or\n                                                                                    Management Comment (MC)\n           Segregation of duties is not        Implement controls to restrict\nTSA-4-01   properly enforced in the Delphi     access based on the principles of              MW\n           Application within FFMS.            least privilege.\n                                               Ensure that system controls will\n           Weaknesses in Delphi access\n                                               be appropriately implemented in\nTSA-4-02   controls, network security, and                                                    MW\n                                               the version of FFMS to which\n           system security controls.\n                                               TSA will be migrating.\n                                               Continue holding meetings to\n                                               identify system integrity\n           System financial integrity issues\n                                               problems and track corrective\nTSA-4-03   identified in the Dephi                                                            MW\n                                               action in the form of\n           application.\n                                               reconciliation and manual\n                                               controls.\n                                               Correct issues regarding\n           Inaccuracies exist within TSA\n                                               separated employees and\n           personnel records which\n                                               continue reconciliation efforts to\nTSA-4-04   addresses both separated                                                           MW\n                                               correct erroneous personnel\n           employee issue and other\n                                               information in CUPS and\n           erroneous personnel records\n                                               CPMIS.\n\n\n\n\n                                                         36\n\x0c                                                            Appendix C\n\n                     Department of Homeland Security\n               Information Technology Management Comments\n                            September 30, 2004\n\n\n\n\nAppendix C - Cross-Walk of Previous Year\xe2\x80\x99s Notice of Findings\n          and Recommendations to Current Year\n\n\n\n\n                                  37\n\x0c                                                                                                   Appendix C\n\n                                     Department of Homeland Security\n                               Information Technology Management Comments\n                                            September 30, 2004\n\n                                                                                                Disposition\nBureau    NFR No.   Description                                                           Closed       Repeat\n\nCIS/ICE   03-02     Benefits Systems Division has no risk assessment for the Claims 3       X\n                    mainframe\nCIS/ICE   03-03     BCIS needs to complete and strengthen security plans for Claims 3       X\n                    Mainframe and Claims 4\nCIS/ICE   03-04     BCIS security training polices not implemented                          X\nCIS/ICE   03-10     (b)(2)High\n                    (b)(2)High\n                                                                                                        04-19\nCIS/ICE   03-12                                                                                         04-09\nCIS/ICE   03-13     BCIS Access Control Weaknesses                                          X\nCIS/ICE   03-14     BCIS/BICE service continuity weaknesses                                 X\nCIS/ICE   03-15     Implementation of Corrective Actions for Claims 3 and Claims 4 from     X\n                    the Security Test and Evaluation (ST&E) not implemented\n\n\nCBP       03-01     (b)(2)High\n                    (b)(2)High\n                                                                                                        04-01\nCBP       03-02                                                                             X\n                    Functions\nCBP       03-03     Non-existent/Incomplete NDC Fire Evacuation Plans and Procedures        X\n\n                    (b)(2)High\n                    (b)(2)High\nCBP       03-04                                                                                         04-04\nCBP       03-05                                                                                         04-18\n\nCBP       03-06                                                                                         04-02\n\nCBP       03-07                                                                                         04-09\nCBP       03-08                                                                                         04-08\nCBP       03-09                                                                                         04-02\n\nCBP       03-10                                                                                         04-14\nCBP       03-11     Lack of Certification & Accreditation of CBP's Data                     X\n                    Telecommunications Network\n                    (b)(2)High\n                    (b)(2)High\nCBP       03-12                                                                                         04-10\nCBP       03-13     Application Change Control Documentation Process is not Consistent      X\n                    with Published Guidance\n                    (b)(2)High\n                    (b)(2)High\nCBP       03-14                                                                                         04-07\nCBP       03-15                                                                                         04-03\nCBP       03-16                                                                                         04-05\nCBP       03-17                                                                                         04-12\n\nCBP       03-18                                                                                         04-06\n\n                                                        38\n\x0c                                                                                                 Appendix C\n\n                                    Department of Homeland Security\n                              Information Technology Management Comments\n                                           September 30, 2004\n\n                                                                                              Disposition\nBureau   NFR No.   Description                                                          Closed       Repeat\n\n                   (b)(2)High\n                   (b)(2)High\nCBP      03-19                                                                                        04-03\n\n\n                   (b)(2)High\n                   (b)(2)High\nCG       03-001                                                                                       04-022\n\nCG       03-002                                                                                       04-013\n\nCG       03-003                                                                                       04-014\n\nCG       03-004                                                                           X\nCG       03-005    No documentation of system software changes; same staff makes          X\n                   changes and moves into production. \xe2\x80\x93 AR&SC -\nCG       03-006    Infrequent back up, weaknesses in DRP \xe2\x80\x93 AR&SC                          X\nCG       03-007    Application changes do not follow procedures \xe2\x80\x93 AR&SC                   X\nCG       03-008    (b)(2)High\n                   (b)(2)High\n                                                                                                      04-020\n\nCG       03-009                                                                                       04-004\n\nCG       03-010                                                                                       04-005\n\nCG       03-011                                                                                       04-006\n\nCG       03-012    Telecommunications\xe2\x80\x94weak password allowed access to Dataline card       X\n                   reader application. (War Dial)\n                   (b)(2)High\n                   (b)(2)High\nCG       03-013                                                                                       04-007\n\nCG       03-014                                                                           X\n                   information technology support positions within FINCEN are not up-\n                   to-date\nCG       03-015    FINCEN personnel are not currently using PVCS\xc2\xae Tracker/Version         X\n                   Manager to maintain and track application changes for CGOF or\n                   LUFS.\nCG       03-016    System Developer Access to Production Software and Files \xe2\x80\x93 AR&SC       X\n                   \xe2\x80\x93 BCCP not up to date, tested, no training in BCCP.\nCG       03-017    (b)(2)High\n                   (b)(2)High\n                                                                                                      04-008\n\nCG       03-018                                                                           X\n                   configuration and changes not documented.\nCG       03-019    NESSS Access Administration \xe2\x80\x93 OSC/ELC\xe2\x80\x94No process to ensure             X\n                   system access commensurate with responsibilities.\nCG       03-020    FLS (Fleet Logistics System) Access \xe2\x80\x93 OSC/ELC \xe2\x80\x93 weak passwords         X\n                   and log ins and no ability to track.\n                   (b)(2)High\n                   (b)(2)High\nCG       03-021                                                                                       04-009\n\n                                                     39\n\x0c                                                                                                 Appendix C\n\n                                      Department of Homeland Security\n                                Information Technology Management Comments\n                                             September 30, 2004\n\n                                                                                              Disposition\nBureau   NFR No.   Description                                                          Closed       Repeat\n\n                   (b)(2)High\n                   (b)(2)High\nCG       03-022                                                                                       04-011\n\nCG       03-023                                                                           X\n                   Development Life Cycle (SDLC) methodology and violate segregation\n                   of duties.\nCG       03-024    (b)(2)High\n                   (b)(2)High                                                                         04-010\nCG       03-025                                                                                       04-012\nCG       03-026                                                                                       04-015\nCG       03-027                                                                                       04-016\n\nCG       03-028                                                                                       04-021\nCG       03-029                                                                                       04-015\n\nCG       03-030                                                                                       04-015\n\nCG       03-031                                                                                       04-014\nCG       03-032                                                                           X\nCG       03-033    PSC transmissions-- No confirmation of receipt of data.                X\nCG       03-034    (b)(2)High\n                   (b)(2)High\n                                                                                                      04-003\nCG       03-035                                                                           X\nCG       03-036    Service continuity\xe2\x80\x94No DRP, no testing of COOP                          X\nCG       03-037    Security Training \xe2\x80\x93 HQ\xe2\x80\x94Training not tracked.                           X\nCG       03-038    (b)(2)High\n                   (b)(2)High\n                                                                                                      04-023\n\nCG       03-039                                                                                       04-019\nCG       03-040                                                                           X\n                   Ledger Module during data conversion.\nCG       03-041    (b)(2)High\n                   (b)(2)High\n                                                                                                      04-018\nCG       03-042                                                                                       04-017\n\n\nCG       03-043                                                                                       04-024\n\n\n\nCONS     03-01     (b)(2)High\n                   (b)(2)High\n                                                                                                      04-02\n\nCONS     03-02     Lack of assessment or assurance of security controls in place over     X\n                   TIER and CFO Vision\nCONS     03-03     DHS TIER resides on a test server                                      X\n\n                                                        40\n\x0c                                                                                                     Appendix C\n\n                                      Department of Homeland Security\n                                Information Technology Management Comments\n                                             September 30, 2004\n\n                                                                                                  Disposition\nBureau   NFR No.   Description                                                              Closed        Repeat\n\n                   (b)(2)High\n                   (b)(2)High\nCONS     03-04                                                                                             04-01\nCONS     03-05     Lack of a comprehensive and accurate financial system inventory            X\n\n\n                   (b)(2)High\nEPR      03-04     (b)(2)High                                                                              04-11\n\nEPR      03-05                                                                                             04-39\n\nEPR      03-06                                                                                             04-32\nEPR      03-07                                                                                             04-16\nEPR      03-08                                                                                             04-17\n\nEPR      03-09                                                                                             04-18\n\nEPR      03-10                                                                                             04-19\n\nEPR      03-11                                                                                X\n                   not provided to newly hired employees and contractors as part of their\n                   orientation to Federal Emergency Management Agency (FEMA).\n                   (b)(2)High\n                   (b)(2)High\nEPR      03-12                                                                                             04-20\nEPR      03-13                                                                                             04-21\n\nEPR      03-14                                                                                             04-22\nEPR      03-22                                                                                             04-23\n\nEPR      03-23                                                                                             04-24\nEPR      03-24                                                                                X\nEPR      03-26     (b)(2)High\n                   (b)(2)High\n                                                                                                           04-25\n\n\n                   (b)(2)High\n                   (b)(2)High\nLTD      03-01                                                                                             04-01\n\n\nSLGCP    03-01     (b)(2)High\n                   (b)(2)High\n                                                                                                       Reissued under\n                                                                                                        the DOJ OJP\n                                                                                                            audit\nSLGCP    03-02                                                                                X\n                   (b)(2)High\n                   (b)(2)High\nSLGCP    03-03                                                                                            Note 1\n\n\n\n\n                                                        41\n\x0c                                                                                                     Appendix C\n\n                                      Department of Homeland Security\n                                Information Technology Management Comments\n                                             September 30, 2004\n\n                                                                                                  Disposition\nBureau   NFR No.   Description                                                              Closed       Repeat\n\nSLGCP    03-04     Access Controls, System Software - poor configuration management                       Note 1\n                   on OJP servers\n\nSLGCP    03-05     Access Controls - lack of compliance with security                         X\n                   measures at workstation area\nSLGCP    03-06     Change Controls relating to service request signatures                     X\n\n\nSLGCP    03-07     Security Program not updated for current conditions                        X\n                   for FY2002 or FY2003 or FY2004\n\nSLGCP    03-08     Weakness in service continuity plans                                       X\n\n\nSLGCP    03-09     Access privileges and profiles for IFMIS.                                  X\n\nSLGCP    03-10     External network on the ODP web server contained default java scripts.     X\n\n\nTSA      03-01     Individuals can both initiate and approve SF52 personnel actions           X\nTSA      03-02     Resource constraints in maintaining personnel system                       X\nTSA      03-03     (b)(2)High\n                   (b)(2)High\n                                                                                                          04-04\nTSA      03-04                                                                                            04-02\n\n\n\n\n                                                          42\n\x0c                                                        Appendix D\n\n                 Department of Homeland Security\n           Information Technology Management Comments\n                        September 30, 2004\n\n\n\n\nManagement Response to Draft Information Technology\n               Management Letter\n\n\n\n\n                              43\n\x0c                                             Appendix D\n\n      Department of Homeland Security\nInformation Technology Management Comments\n             September 30, 2004\n\n\n\n\n                   44\n\x0c                                             Appendix D\n\n      Department of Homeland Security\nInformation Technology Management Comments\n             September 30, 2004\n\n\n\n\n                   45\n\x0c                                             Appendix D\n\n      Department of Homeland Security\nInformation Technology Management Comments\n             September 30, 2004\n\n\n\n\n                   46\n\x0c                                             Appendix D\n\n      Department of Homeland Security\nInformation Technology Management Comments\n             September 30, 2004\n\n\n\n\n                   47\n\x0c                                             Appendix D\n\n      Department of Homeland Security\nInformation Technology Management Comments\n             September 30, 2004\n\n\n\n\n                   48\n\x0c                                             Appendix D\n\n      Department of Homeland Security\nInformation Technology Management Comments\n             September 30, 2004\n\n\n\n\n                   49\n\x0c                                             Appendix D\n\n      Department of Homeland Security\nInformation Technology Management Comments\n             September 30, 2004\n\n\n\n\n                   50\n\x0c                   Report Distribution\n\n                   Department of Homeland Security\n\n                   Secretary\n                   Deputy Secretary\n                   General Counsel\n                   Chief of Staff\n                   Executive Secretariat\n                   Under Secretary, Management\n                   Chief Information Officer\n                   Chief Financial Officer\n                   DHS Public Affairs\n                   DHS Audit Liaison\n                   Chief Information Office Audit Liaison\n                   DHS Public Affairs\n\n                   Office of Management and Budget\n\n                   Chief, Homeland Security Branch\n                   DHS OIG Budget Examiner\n\n                   Congress\n\n                   Congressional Oversight and Appropriations Committees as Appropriate\n\n\n\n\nInformation Technology Management Letter for the FY 2004 DHS Financial Statement Audit\n\x0cAdditional Information and Copies\n\nTo obtain additional copies of this report, call the Office of Inspector General\n(OIG) at (202) 254-4100, fax your request to (202) 254-4285, or visit the OIG\nweb site at www.dhs.gov.\n\nOIG Hotline\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind\nof criminal or noncriminal misconduct relative to department programs or\noperations, call the OIG Hotline at 1-800-323-8603; write to Department of\nHomeland Security, Washington, DC 20528, Attn: Office of Inspector\nGeneral, Investigations Division \xe2\x80\x93 Hotline. The OIG seeks to protect the\nidentity of each writer and caller.\n\x0c"